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Management & Program Analyst 


Cyber Division 
Internet Crime Complaint Center (ІСЗ) 
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UNCLASSIFIED 


To: ; San Francisco 
Re: 12/06/2011 


account to obtain access to the 
account, which was an administrator for 
cloudflare.com's Google Apps account. 


stated that the subjects compromised the 
account by initiating Google's account recovery 
procedures for the account. One of the account recovery options 
was to receive a voice call to a recovery telephone number that 
the user had previously associated with the account. The voice 
call provides the user with a unique code that can be used to 
regain access to the account. 


According to CloudFlare's blog post, the subjects 
instructed Google's system to send a voice call to the cell phone 


liste recovery number on the account, 
According to on his blog, the voicemail 
associated with the telephone number was 
compromised. also mentioned that he received an incoming 
call on his cell phone from telephone number The 
Google records showed that telephone number was 
associated with the subjects. айуізей that the subjects 
placed a call from to S cell phone shortly 


before the incoming voice call from Google's account recovery 
system thereby forcing the call from Google to the compromised 
voicemail box. 


advised that once the subjects obtained access to 
account, the subjects attempted to lock 

e account by changing the password, secondary 
email address, a ecovery telephone number on the account. 
The subjects preme 2. for control of the account until 


the 


Google staff disabled the account and provided access to the 
account back to 


stated that while the subjects had access to the 
account, they used that access to compromise 

t by requesting that a password 
be sent to the secondary 
email account, 
the account was configured to use Google's 
2-step verification feature. However, a now-fixed flaw in the 
account recovery flow for Google Apps accounts allowed the 


subjects to bypass 2-step verification and compromise the 
Co  — — becount. 
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To: Cyber From: San Francisco 
Re: [H 12/06/2011 


Once the subjects had access ғо ]в Google Apps 


account, they used that access to compromise other CloudFlare 
Google Apps accounts, саба According to 
CloudFlare, the subjects used their access to modify proxy 


settings for CloudFlare published two blog posts about 
the incident. said the blo osts could befound at 


advised that Google's investigation found that 
the subjects may have compromised other Google Accounts, in 
addition to the / CloudFlare accounts. In some 
cases, the subjects made unsuccessful recovery claims on Gmail 
accounts. 


It is requested that the following subfiles be opened 
and assigned to sat] 


GJ Grand Тигу Materials 
1АСЈ Grand Тигу 1А Materials 
In view of the above, it is requested that a new 
matter be opened and assigned to зА [— 
++ 
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U.S. Department of Justice 


Federal Bureau of Investigation 


b7E 


In Reply, Please Refer t 450 Golden Gate Avenue, 
File No. San Francisco, California 94102 
(415) 553-7400 


June 13, 2012 


USA Melinda L. Haag 

United States Attorney 
Northern District of California 
450 Golden Gate Avenue 

San Francisco, California 94102 


Attn: aua be 
San Jose United States Attorney's Office b7C 


UNSUB(S), 
UGNAZI; 
GOOGLE INC. - VICTIM, 
CLOUDFLARE - VICTIM, 
- VICTIM; b6 
COMPUTER INTRUSION b7C 


Dear USA Haag: 
In June of 2012, the San Francisco Division received 


information from Google, Inc. regarding an investigation 
involving a group of individuals who compromised various Google 


Accounts, including accounts that belonging to the company 

CloudFlare and mel c] o Google also stated b6 
that CloudFlare posted information regarding the compromise on b7C 
their blog. 


CASE PREDICATION 


On approximately June 1, 2012, unknown indivi 1(3) 
compromised the personal Google Account operated yo b6 
a S ақымен! which was listed as the secondary emall on b7C 
s Google Apps account . The 
subjects used their access to the account to 
obtain access to the account, which was an 


administrator for cloudflare.com's Google Apps account. 


Google informed the FBI that the subjects compromised 
the account by initiating Google's account b6 
recovery procedures for the account. One of the account recovery b7C 
options was to receive a voice call to a recovery telephone 
number that the user had previously associated with the account. 


The voice call provides the user with а unique code that can be 
used to regain access to the account. 


According to CloudFlare's blog post, the subjects 
instructed Google's system to send a voice call to the cell phone 


ecovery number on the account, 

Accordinq to on his blog, the voicemail 
associated with the telephone number was 
compromised. Г ^ ]а1зо mentioned that he received an incoming 
call on his cell phone from telephone numbe The 
Googie records showed that telephone number was 


associated with th i Google advised that the subjects 
placed a call from шшш cell phone shortly 
before the incoming voice call from Google's account recovery 


System, thereby forcing the call from Google to the compromised 
voicemail box. 


Google advised that once the subjects obtained access 
to the account, the subjects attempted to lock 
out of the account by changing the password, secondary 
email address, and SMS recovery telephone number on the account. 
The subjects and[  ] fought for control of the account until 
Google staff disabled the account and provided access to the 
account back to 


While the subjects had access to ве] 


account, they used that access to compromise the 

b esting that a password 
be sent to the secondary 
Unlike the account, 
account was configured to use Google's 
2-step verification feature. However, a now-fixed flaw in the 
account recovery flow for Google Apps accounts allowed the 


subjects to bypass 2-step verification and compromise the 
[ ассоци, 

Once the subjects had access toL. ]s Google Apps 
account, they used that access to compromise other CloudFlare 
Google Apps accounts, iaeludius[ с] According to 
CloudFlare, the subjects used their access to modify proxy 
settings for[ j] CloudFlare published two blog posts about 


reset link for 


Google's investigative team also discovered that the 
subjects may have compromised other Google Accounts, in addition 
to the / CloudFlare accounts. In some cases, the 
subjects made unsuccessful recovery claims on Gmail accounts. 
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The San Francisco Division has opened а full 


investigation into i ich has been assigned to 
Special Agent (SA) 


Sincerely, 


Stephanie Douglas 
Special Agent in Charge 


Supervisory ор gent 
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U.S. Department of Justice 


Federal Bureau of Investigation 


In Reply, 450 Golden Gate Avenue b7E 
File No. San Francisco, California 94102 


(415) 553-7400 


June 13, 2012 


USA Melinda L. Haag b6 
United States Attorney BIC 
Northern District of California 
450 Golden Gate Avenue 
San Francisco, California 94102 
Attn: ВОВА| т 
San Jose United States Attorney's Office 
UNSUB(S), 
UGNAZI; 
GOOGLE INC. - VICTIM, 
CLOUDFLARE - VICTIM, 
VICTIM; b6 
COMPUTER INTRUSION b7C 
Dear USA Haag: 
Pursuant to the above captioned investigation, the 
Federal Bureau of Investigation (FBI) requests that the below 
listed individuals be placed on the Federal Grand Jury 6E list, 
in as much as they may require access to Grand Jury information 
during the course of the investigation: 
b6 
b7C 


Sincerely, 


Stephanie Douglas 
Special Agent in Charge 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 06/15/2012 


On June 14, 2012, Special Agent 
served a Preservation Request on 


The Preservation Request requested all records and other 


A copy ОЁ the preservation request, facsimile cover page 
and facsimile verification report are attached and made a part of 
this document. 


Investigation on 06/14/2012 a Campbell, California 
File Date dictated not dictated 


by SA | m 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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U.S. Department of Justice 


Federal Bureau of Investigation 


In Reply, Please Refer to 450 Golden Gate Avenue 
File No. San Francisco, CA 94102 
(415)553-7400 


June 14, 2012 


RE: Preservation Request 
Dear Custodian of Records: 


e Federal Bureau of Investigation (FBI) is requesting 
that take all necessary steps to preserve for a period of 
ninety (90) days any and all records and other evidence 


includin 


Title 18, U.S.C. 88 2703(f) states the following: 


(Е) Requirement to preserve evidence - 


(1) In general - A provider of wire or electronic 
communication services or a remote computing service,. 
upon the request of a governmental entity, shall take 
all necessary steps to preserve records and other 
evidence in its possession pending the issuance of a 
court order or other process. 


(2) Period of retention - Records referred to in 
paragraph (1) shall be retained for a period of 90 
days, which shall be extended for an additional 90-day 
period upon a renewed request by the governmental 
entity. 


The requested information relates to an ongoing, 
official criminal investigation. ТЕ is requested that you do not 
disclose the existence of the FBI's interest into this matter 
until you are notified that the investigation has been completed. 
Failure to comply with this request may subject you to criminal 
penalties, including, but not limited to, obstruction of justice 


b7E 


b6 
Gris 
b7E 


under Title 18 U.S.C. $$ 1503. Аз you аге aware, disclosure 


could impede the investigation and interfere with the enforcement 
of law. 


Should you have any questions or ne LE? 
information, please contact ЕВТ Special Agent at 
telephone пие H 

Sincerely, 


Stephanie Douglas 
Special Agent in Charge 


Supervisory Special Agent 
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DETAILS 


Subject: 
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+ Special Handling Instructions: 


b7C 


Brief Description of Communication Faxed: 


WARNING 
Information attached to the cover sheet is U.S. Government Property. If you are not the intended recipient of this information disclosure, 


reproduction, distribution, or use of this information is prohibited (18.USC, 8 641). Please notify the originator or local FBI Office 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 06/15/2012 


b6 


14, 2012, Spec b7c 
b7E 
The Preservation Request requested all records and other 
evidence be preserved for 90 days for 
b6 
b7C 
b7E 


A copy of the preservation request, facsimile cover page 
and facsimile verification report are attached and made a part of 
this document. 


Investigation on 06/14/2012 а Campbell, California 


А b7E 

File Date dictated not dictated 
by SA | b6 
b7C 


This document contains neither recommendations nor conclusions of the ЕВЕ It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 


U.S. Department of Justice 


Federal Bureau of Investigation 


In Reply, Please Refer to 450 Golden Gate Avenue 
File No. San Francisco, CA 94102 
(415)553-7400 


June 14, 2012 


RE: Preservation Request 
Dear Custodian of Records: 

e Federal Bureau of Investigation (FBI) is requesting 
that take all necessary steps to preserve for a period of 
ninety (9 days any and all records and other evidence 
includin but not limited to 


Title 18, U.S.C. 88 2703(£) states the following: 


(Е) Requirement to preserve evidence - 


(1) In general - A provider of wire or electronic 
communication services or a remote computing service, 
upon the request of a governmental entity, shall take 
all necessary steps to preserve records and other 
evidence in its possession pending the issuance of a 
court order or other process. 


(2) Period of retention - Records referred to in 
paragraph (1) shall be retained for a period of 90 
days, which shall be extended for an additional 90-day 
period upon a renewed request by the governmental 
entity. 


b7E 


Ъ7Е 


b6 
b7C 
b7E 


sa 


"эы, 


The requested information relates to ап ongoing, 
official criminal investigation. It is requested that you do not 
disclose the existence of the FBI's interest into this matter 
until you are notified that the investigation has been completed. 
Failure to comply with this request may subject you to criminal 
penalties, including, but not limited to, obstruction of justice 
under Title 18 U.S.C. 88 1503. Аз you are aware, disclosure 
could impede the investigation and interfere with the enforcement 
of law. 


Should you have any questions or need additional 


information, plea pecial Agent[ Lag b6 
telephone number b7C 
Sincerely, 


Stephanie Douglas 

Special Agent in Charge 
b6 
b7C 


Su 1 Agent 
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Name of Office: Date: 


06/14/2012 


Attn: 
Compliance Team 


FROM 


Name of Office: 


Originator's Facsimile Number: 
408-558-3977 


DETAILS 


Subject: 
Preservation Request 


Special Handling Instructions: 


Brief Description of Communication Faxed: 


WARNING 
Information attached to the cover sheet is U.S. Government Property. If you are not the intended recipient of this information disclosure, 
reproduction, distribution, or use of this information is prohibited (18.USC, 8 641). Please notify the originator or local FBI Office 
immediately to arrange for proper disposition. 
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FEDERAL BUREAU ОЕ INVESTIGATION 


Date of transcription 06/15/2012 


On June 14, 2012, Special Agent (SA) 
served a Preservation Request on 


The Preservation Request requested all records and other 


ps for 90 days for 


A copy of the preservation request, facsimile cover page 
and facsimile verification report are attached and made a part of 
this document. 


Investigation on 06/14/2012 а Campbell, California 
File # Date dictated not dictated 


by SA | Ы 


This document contains neither recommendations nor conclusions of ће FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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U.S. Department of Justice 


Federal Bureau of Investigation 


In Reply, Please Refer to 450 Golden Gate Avenue 
File No. San Francisco, CA 94102 
(415)553-7400 


June 14, 2012 


RE: Preservation Request 
Dear Custodian of Records: 
that 


nine 
includin 


take all necessary steps to preserve for a period of 


The Federal Bureau of Investigation (FBI) is requesting 
| Е: days апу апа all г n her idence 


Title 18, U.S.C. 88 2703(f) states the following: 


(£) Requirement to preserve evidence - 


(1) In general - A provider of wire or electronic 
communication services or a remote computing service, 
upon the request of a governmental entity, shall take 
all necessary steps to preserve records and other 
evidence in its possession pending the issuance of a 
court order or other process. 


(2) Period of retention - Records referred to in 
paragraph (1) shall be retained for a period of 90 : 
days, which shall be extended for an additional 90-day 
period upon a renewed request by the governmental 
entity. 


b7E 


b6 
b7C 
b7E 


The requested information relates to an ongoing, 
official criminal investigation. It is requested that you do not 
disclose the existence of the FBI's interest into this matter 
until you are notified that the investigation has been completed. 
Failure to comply with this request may subject you to criminal 
penalties, including, but not limited to, obstruction of justice 
under Title 18 U.S.C. 88 1503. As you are aware, disclosure 
could impede the investigation and interfere with the enforcement 
of law. 


Should you have any questions or need additional 
information, please contact FBI Special Agent[ sit 
telephone number 


Sincerely, 


Stephanie Douglas 
Special Agent in Charge 


b6 
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b6 
Gris 
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Name of Office: Number of Pages: (including cover) 
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Originator's Facsimile Number: 


408-558-3977 


Originator's Name: 


Originator's Telephone Number: 


Approved: 


DETAILS 


Subject: 
Preservation Request 


Special Handling Instructions: 


Please cotad | for any questions jf | x] 


Brief Description of Communication Faxed: 


WARNING 
Information attached to the cover sheet is U.S. Government Property. If you are not the intended recipient of this information disclosure, 
reproduction, distribution, or use of this information is prohibited (18.USC, 8 641). Please notify the originator or local FBI Office 
immediately to arrange for proper disposition. 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 06/15/2012 


On June 14, 2012, Special Agent 
Served a Preservation Request on 


The Preservation Request requested all records and other 
evidence be preserved for 90 days for 


Investigation on 06/14/2012 а Campbell, California 


File J J] ee Date dictated not dictated 
by sal | 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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A copy of the preservation request, facsimile cover page 
and facsimile verification report are attached and made a part of 
this document. : 


U.S. Department of Justice 


Federal Bureau of Investigation 


In Reply, Please Refer to 450 Golden Gate Ave. 

File No. San Francisco, CA 94102 
(415) 553-7400 
June 14, 2012 


b7E 
Attention: Custodian of Records 
Re: Preservation request 
Dear Legal Compliance Department: 
Pursuant to Title 18, United States Code, Section 
2703(Е) you are hereby directed to take all steps necessary to 
preserve all records and other evidence in the possession of 
or the following: 
b6 
b7C 


b7E 


* 


b6 
b7C 
b7E 
Such records and evidence include, but are not limited 
to b7E 


Order requiring the production of all information (including 
content) pursuant to the Electronic Communication Transactional 
Records Act, 18 U.S.C. 8 2701, et seq. Under Section 2703(Е), 
you are required to preserve these items for a period of 90 days. 
This period is subject to renewal. 


Please be advised that your failure to comply with this 
request may subject you to criminal penalties, including, but not 
limited to, obstruction of justice under 18 U.S.C. 8 1503, et 
seq. 


Because this request in being made pursuant to an 
official criminal investigation, you are requested not to 
disclose this request, or its contents to anyone. 


If you have any questions or need additional 


information, pl ecial Agent Да b6 
telephone numbe or fax number (408)558-3977. bic 


Sincerely, 


Stephanie Douglas 
Special Agent in Charge 


b6 
b7C 


This request is made in anticipation of an appropriate 
Supervisory Special Agent 
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Subject: 
Preservation Request 


Special Handling In 


Please contact dk апу questions at NEM Я SC 


Brief Description of Communication Faxed: 


WARNING 


Information attached to the cover sheet is U.S. Government Property. If you are not the intended recipient of this information disclosure, 
reproduction, distribution, or use of this information is prohibited (18.USC, 8 641). Please notify Ше originator ог local FBI Office 
immediately to arrange for proper disposition. 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 06/18/2012 


On June 11, 2012, Federal Bureau of Investigation (FBI) 


Staff Operations Specialist (SOS) [  — ]сопаосњеа open b6 
source searches and reviewed subscriber information provide b b7C 
Google on ] i : 
b6 
b7C 
t. 
5 
Ё 
А 
Investigation оп 06/18/2012 а Campbell, California 
ЬЛЕ 
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by b6 
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This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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The 2. email addres isted 
d | ___ Шаов tod ^ | Open 
" source searches confirmed both] C ^ Ге Twitter 
% accounts were compromised on June 3, 2012 by UNDERGROUND NAZI 
HACKTIVIST GROUP (UGNAZI).  UGNAZI tweeted telephone number 
оо в followers. In addition, UGNAZI changed the 
SMS telephone number on fs email account to eases 
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however, and SMS 
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ACS searches were negative concerning 
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From: Две) 


Sent: 2012 9:52 AM 

To: ) (ЕБІ) 

Cc: (IF) (FBI) 

Subject: СЗ complaint on UGNazi and email address| ^^ |@gmail.com 


Classification: UNCLASSIFIED 
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RECORD: | | 


‚Оп 06/27/2012, МР forwarded the attached complaint to s[ М the New York field b6 
office and S and SA with the San Francisco field office. ` 975 


Тһе complaint is оп the Anonymous splinter group UGNazi апа email address |ретай.сот. 


The complaint was filed with the IC3 on 06/26/2012 b C Je telephone d 
numbe[ Jana email addres mail.com reported that his gmail account was S 


compromised оп 05/12/2012 and the subjects used it to take over 23 domains he owns. He reported the subjects’ 
domain as ugnazi.com and emailaddressas[ @ртай.сот. 


orea he was able to recover 17 of the domains. One of the domains he was not able to recover was b6 
which he has owned for the last 10 years and has received numerous five figure offers for. Therefore, he 
reported he lost $50,000[ ]stated the subjects transferred his domain from GoDaddy to Internet.bs. He stated 
he and GoDaddy have repeatedly attempted to contact Internet.bs, but they refuse to investigate[ 1 believes 
Internet.bs is involved with the subjects. 


purportedly hijacked from another victim. 


[  ]betieves the ШШШ. are targeting high value domains since they went after hd ` ротай and they s 


A search of ACS on mail.com found that this email address was mentioned in San Francisco's cas E 
which was opened on 06/12/2012. Their case is оп UGNazi, and the victims ar ке 


06/14/2012, San Francisco served а preservation letter t 


and many others. The case file also mentioned s gmail account. The IC3 received a complaint on 6/4/12 
from reported „у 
[k twitter and gmail accounts were hacked b The complaint was 


request. 
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New York also has an open case on md | 


Recipients were requested to advise to writer if the information is utilized in their case. 
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Precedence: ROUTINE Date: 06/12/2012 


To: Cyber Attn: CCU-2 sa| | Е 


San Francisco 


From: San Francisco 
Squad CY2/Sa 
Contact: SA b6 


approved ву: [ — — Ил av 


Drafted By: ] 
rafte y jsn unb 


Case ID id: 


Title:  UNSUB(S), 
UGNAZI; 
GOOGLE INC. - VICTIM, 
CLOUDFLARE - VICTIM, 
- VICTIM; b6 
COMPUTER INTRUSION b7C 


Details: On June 8, 2012 Supervisory Special Agent (SSA ро 
nd Special Agent У C i ЕТК bic 
Investigator, Trust and Safety, telephone number 

onal йи юке И andp——— | essssssas 

Counsel, at their place of employment, Google Inc., 1965 | 

Charleston Road, Mountain View, California fter being advised 

of the identity of the interviewing &sents| | provided the 

following information: 

Г Мауізеа that the information being provided Бу x 


Google was in response to the subjects who compromised google 


Accounts belonging to the company CloudFlare and their 

м KEE that CloudFlare had also discussed 
this matter publicly on its blog. It appeared that on June 1, 
2012, the subjects compromised the 
operated by 
secondar 


ersonal Google Account 
which was listed as the 
s Google Apps account 

The subjects used their access to the 


Synopsis: To open case and subfiles. | 
UNCLASSIFIED 


